Alerts
Overview
Get a list of all or filtered alerts. The alerts listed are what remains after alert exclusions are applied by CrowdStrike Falcon.
Configuration
Parameters
Secrets
After entering the required parameters and secrets, you can choose to manually enter the Falcon API Alerts fields, or simply paste the given YAML:
Toggle this ON to enable a free text field where you can paste your CrowdStrike Falcon API YAML.
withTemporalWindow: true
temporalWindow:
duration: 5m
offset: 0
tz: UTC
format: RFC3339
withAuthentication: true
authentication:
token:
request:
method: POST
url: ${parameters.mydomain}/oauth2/token
headers:
- name: Content-Type
value: application/x-www-form-urlencoded
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: client_credentials
- name: client_id
value: '${secrets.clientID}'
- name: client_secret
value: '${secrets.clientSecret}'
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: true
enumerationPhase:
paginationType: offsetLimit
limit: 100
request:
responseType: json
method: GET
url: ${parameters.mydomain}/alerts/queries/alerts/v2
queryParams:
- name: offset
value: ${pagination.offset}
- name: limit
value: ${pagination.limit}
- name: filter
value: created_timestamp:>'${temporalWindow.from}'+created_timestamp:<'${temporalWindow.to}'
output:
select: ".resources"
map: "."
outputMode: collection
collectionPhase:
variables:
- source: input
name: resources
expression: "."
format: "json"
paginationType: none
request:
method: POST
url: ${parameters.mydomain}/alerts/entities/alerts/v2
headers:
- name: Accept
value: application/json
- name: Content-Type
value: application/json
responseType: json
bodyType: raw
bodyRaw: |
{
"composite_ids": ${inputs.resources}
}
output:
select: ".resources"
map: "."
outputMode: element
Temporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Duration - 5 minutes (
5m) as default, adjust based on your needs.Offset - initial offset should be
0(the latest alert).Format -
RFC3339
Authentication Phase
Toggle ON to configure the authentication phase. This is required to get the token to pull data using OAuth.
Type* -
tokenRequest Method* -
POST(we would need to generate the JWT using the secretsclient_idandclient_secretURL* -
${parameters.domain}/oauth2/tokenHeaders
Name -
Content-typeValue -
application/x-www-form-urlencoded
BodyType* -
UrlEncodedBody params
Name -
grant_typeValue -
client_credentialsName -
client_idValue -
'${secrets.clientID}'Name -
client_secretValue -
'${secrets.clientSecret}'Enumeration Phase
Token Path* -
.access_tokenAuth Injection
In* -
headerName* -
authorizationPrefix -
BearerSuffix -
''
Enumeration Phase
Toggle ON to configure the enumeration phase. This API endpoint requires an initial request that will provide a list of alert ids. In order to get the details about that information, it will require an additional request for those details.
Pagination Type* -
Offset/LimitZero index* - false
Limit* - 100
Request
Response Type* - JSON
Method* -
GETURL* - $
{parameters.domain}/alerts/queries/alerts/v2Query Params
Name - Offset
Value -
${pagination.offset}Name - Limit
Value -
${pagination.limit}Name - Filter
Value -
created_timestamp:>'${temporalWindow.from}'+created_timestamp:<'${temporalWindow.to}'
Output
Select -
.resourcesMap -
.Output Mode -
collection
Collection Phase
Pagination Type* -
noneRequest
Method* -
POSTURL* -
${parameters.domain}/alerts/entities/alerts/v2Headers -
Name -
AcceptValue -
application/jsonName -
Content-TypeValue -
application/json
Output
Select -
.resourcesMap -
.Output Mode -
element
This HTTP Pull Listener now uses the data export API to extract events.
Click Create labels to move on to the next step and define the required Labels if needed.
Last updated
Was this helpful?